[ad_1]
The bluetooth fault exposes a kit from Apple, Intel, Qualcomm and more to MITM attacks
SECURITY BOFFINS has discovered a vulnerability in Bluetooth that allows attackers to potentially intercept communications between paired devices.
CVE-2018-5383, was unveiled by Lior Neumann and Eli Biham, cybersecurity researchers from the Israel Institute of Technology, who note that two Bluetooth features – Secure Simple Pairing and LE Secure Connections – are affected.
The problem stems from the fact that the Bluetooth specification recommends, but does not require, that a device that supports Secure Simple Pairing or LE Secure Connections validates the public key received live at the time. pairing with a new device.
In such cases, the connections between these devices could be vulnerable to a "man-in-the-middle" attack that would monitor or manipulate the traffic, "said Bluetooth SIG in its notice.
"For an attack to succeed, an attacking device would have to be in the wireless range of two vulnerable Bluetooth devices that were undergoing a matching procedure," the equipment added.
"The attacking device should intercept the public key exchange by blocking each transmission, sending an acknowledgment to the sending device, and then injecting the malicious packet into the receiving device in a narrow time window.If only one device exhibited the vulnerability, the attack would fail.] 19659004] A host of devices are affected, and Apple, Broadcom, Qualcomm Intel are among those who have already postponed patches. devices remain unchanged.
Bluetooth SIG stated that it has now updated the Bluetooth specification to require that products validate any public key received as part of security procedures based on public keys, adding that 39, there is no evidence that the fault is exploited.
"There is no evidence that the vulnerability was exploited maliciously and the B luetooth SIG has no knowledge of any device implementing the attack having been developed, including by researchers who have identified the vulnerability, "the statement said. μ
Further reading
Source link